This week’s ransomware news was dominated by a Royal ransomware attack on the city of Dallas that destroyed part of the IT infrastructure.
The attack happened early Monday, affecting the Dallas police dispatch system and the public library’s computer network. Other systems, including the City’s website, have been shut down over time.
On Wednesday, the city’s network printers began printing ransom notes following the attack. BleepingComputer obtained a screenshot of this note, allowing us to identify that the Operation Royal ransomware was behind the attack.
Although it may seem counterintuitive to target a local government, Bill Siegel of the ransomware incident response firm Dishes told BleepingComputer that about 35% of the public sector cases they handled paid a ransom.
This includes local governments, schools, police or other publicly funded entities.
“Historical public sector victims pay ransoms in 35% of the cases we handled. This is 10 percentage points lower than the overall industry-wide average in Q1 2023 (45%)” , Siegel told BleepingComputer.
“I would add that the actual rate is probably even lower because public sector victims are much less likely to seek external help from IRs, especially if they are very small, so there are probably a large number of incidents where the public sector victim simply deals with the impact and doesn’t even bother to consider hiring the cybercriminal responsible.”
Regarding other ransomware attacks this week, we learned:
Law enforcement also scored a victory this week when the The FBI Announced It Seized Nine Crypto Exchanges used to launder ransomware payments and stolen cryptocurrency.
Finally, an interesting report was published by WithSecure regarding malicious actors targeting Veeam backup servers for initial access to corporate networks.
Contributors and those who provided new ransomware information and stories this week include: @malwhunterteam, @serghei, @demonslay335, @billtoulas, @Ionut_Ilascu, @fwosar, @LawrenceAbrams, @BleepinComputer, @Seifreed, @AlvieriD, @WithSecure, @PogoWasRight, @pcrisk, @siri_urz, @Unit42_IntelAnd @BrettCallow.
April 29, 2023
Veeam backup servers are targeted by at least one group of malicious actors known to work with several high profile ransomware gangs.
May 1, 2023
Ransomware operation ALPHV, aka BlackCat, released screenshots of internal emails and video conferences stolen from Western Digital, indicating they likely had continued access to company systems even as the company was responding to the breach.
May 2, 2023
The FBI and Ukrainian police seized nine cryptocurrency exchange websites that facilitated money laundering for scammers and cybercriminals, including ransomware actors.
Risk found new STOP ransomware variants that append .saba, .sato, and .fofd extensions.
PCrisk has found a new Dharma Ransomware variant that adds the .h3r extension.
PCrisk has found a new Phobos Ransomware variant that adds the .BOOM extension.
PCrisk has found a new Xorist Ransomware variant that adds the .CrypBits256PT2 extension and drops a ransom note named HOW TO DECRYPTE .txt FILES.
PCrisk has found a new variant of MedusaLocker Ransomware which adds the .attacksystem extension.
PCrisk has found new ransomware that adds the .zhong extension and drops a ransom note named Restore.txt.
May 3, 2023
Pediatric mental health provider Brightline warns patients it suffered a data breach affecting 783,606 people after a ransomware gang stole data using a zero-day vulnerability in its file-sharing platform secure Fortra GoAnywhere MFT.
The city of Dallas, Texas suffered a Royal ransomware attack, forcing it to shut down some of its computer systems to prevent the attack from spreading.
PCrisk has found the new Rec_rans Ransomware which adds the .rec_rans extension and drops a ransom note named HOW_TO_RECOVERY_FILES.txt.
May 4, 2023
The Avos ransomware gang hijacked Bluefield University’s emergency broadcast system, “RamAlert”, to send students and staff text messages and email alerts that their data had been stolen and would soon be published.
PCrisk has found a new Xorist ransomware variant that adds the .btc-Apt2 extension and remove a ransom note name HOW TO DECRYPTE .txt FILES.
May 5, 2023
Diversified Canadian software company Constellation Software confirmed on Thursday that some of its systems had been hacked by threat actors who also stole personal information and business data.